chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /examples/firebase-functions directory: fast-xml-parser and tar.
Bumps the npm_and_yarn group with 1 update in the /examples/nuxt directory: tar.
Bumps the npm_and_yarn group with 2 updates in the /examples/sveltekit directory: @sveltejs/kit and svelte.

Updates fast-xml-parser from 5.3.5 to 5.3.7

Release notes

Sourced from fast-xml-parser's releases.

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

Entity security and performance

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.5...v5.3.6

Changelog

Sourced from fast-xml-parser's changelog.

5.3.7 5.3.7 / 2026-02-20

• fix typings for CJS (By Corentin Girard)

5.3.6 / 2026-02-14

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

5.3.5 / 2026-02-08

• fix: Escape regex char in entity name
• update strnum to 2.1.2
• add missing exports in CJS typings

5.3.4 / 2026-01-30

• fix: handle HTML numeric and hex entities when out of range

5.3.3 / 2025-12-12

• fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

5.3.2 / 2025-11-14

• fix for import statement for v6

5.3.1 / 2025-11-03

• Performance improvement for stopNodes (By Maciek Lamberski)

5.3.0 / 2025-10-03

• Use Uint8Array in place of Buffer in Parser

5.2.5 / 2025-06-08

• Inform user to use fxp-cli instead of in-built CLI feature
• Export typings for direct use

5.2.4 / 2025-06-06

• fix (#747): fix EMPTY and ANY with ELEMENT in DOCTYPE

5.2.3 / 2025-05-11

• fix (#747): support EMPTY and ANY with ELEMENT in DOCTYPE

5.2.2 / 2025-05-05

• fix (#746): update strnum to fix parsing issues related to enotations

5.2.1 / 2025-04-22

• fix: read DOCTYPE entity value correctly

... (truncated)

Commits

• fc97a55 update relese info
• b9aef04 Unexport X2jOptions at declaration site (#787)
• c20fbd6 remove unused code
• ecb2ca1 update release info
• 910dae5 fix entities performance & security issues
• See full diff in compare view

Updates tar from 7.5.7 to 7.5.9

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• See full diff in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates tar from 7.5.7 to 7.5.9

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• See full diff in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @sveltejs/kit from 2.50.0 to 2.53.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.53.0

Minor Changes

• feat: support Vite 8 (#15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

@​sveltejs/kit@​2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

@​sveltejs/kit@​2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

@​sveltejs/kit@​2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

  Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

  • from.scroll: The scroll position at the moment navigation was triggered
  • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

  This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

• feat: hydratable's injected script now works with CSP (#15048)

Patch Changes

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.53.0

Minor Changes

• feat: support Vite 8 (#15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

2.52.1

Patch Changes

• fix: clear stale preflight issues on subsequent valid form submissions (#15281)

• chore: remove dependency on sade (#15272)

• fix: include .txt files in precompression (#15259)

• fix: escape backticks and dollar signs when creating inlined css (#15320)

• fix: increment form.pending count before preflight validation (#15279)

2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

... (truncated)

Commits

• f80c327 Version Packages (#15342)
• 1471694 chore: upgrade to eslint 10 (#15359)
• 3e0189d fix: apply queries refreshed in a form remote function when a redirect is thr...
• 6df9d33 fix: remove event listeners on form attachment cleanup (#15286)
• 800d904 feat: support Vite 8 (#15024)
• 9c4a737 Version Packages (#15338)
• 3e607b3 Merge commit from fork
• 62991c8 chore: upgrade devalue and svelte (#15339)
• f47c01b Merge commit from fork
• 6f69ded Version Packages (#15321)
• Additional commits viewable in compare view

Updates svelte from 5.47.1 to 5.53.0

Release notes

Sourced from svelte's releases.

svelte@5.53.0

Minor Changes

• feat: allow comments in tags (#17671)

• feat: allow error boundaries to work on the server (#17672)

Patch Changes

• fix: use TrustedHTML to test for customizable support, where necessary (#17743)

• fix: ensure head effects are kept in the effect tree (#17746)

• chore: deactivate current_batch by default in unset_context (#17738)

svelte@5.52.0

Minor Changes

• feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

• fix: re-run non-render-bound deriveds on the server (#17674)

svelte@5.51.5

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#17739)

svelte@5.51.4

Patch Changes

• chore: proactively defer effects in pending boundary (#17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#17732)

svelte@5.51.3

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.0

Minor Changes

• feat: allow comments in tags (#17671)

• feat: allow error boundaries to work on the server (#17672)

Patch Changes

• fix: use TrustedHTML to test for customizable <select> support, where necessary (#17743)

• fix: ensure head effects are kept in the effect tree (#17746)

• chore: deactivate current_batch by default in unset_context (#17738)

5.52.0

Minor Changes

• feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

• fix: re-run non-render-bound deriveds on the server (#17674)

5.51.5

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#17739)

5.51.4

Patch Changes

• chore: proactively defer effects in pending boundary (#17734)

... (truncated)

Commits

• c2fc95a Version Packages (#17747)
• 92e2fc1 feat: allow comments in tags (#17671)
• 2661513 feat: allow error boundaries to work on the server (#17672)
• 582e444 fix: ensure head effects are kept in the effect tree (#17746)
• f8bf9bb chore: deactivate current_batch by default in unset_context (#17738)
• 696d97f fix: use TrustedHTML to test for customizable <select> support, where necessa...
• cbf4e24 Version Packages (#17742)
• 09c4cb5 fix: re-run non-render-bound deriveds on the server (#17674)
• be24b0d feat: support TrustedHTML in {@​html} expressions (#17701)
• 9f48e76 fix: repair dynamic component truthy/falsy hydration mismatches (#17737)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​sveltejs/​kit@​2.50.0 ⏵ 2.53.0	+1	+3	+1
	npm/​svelte@​5.47.1 ⏵ 5.53.0	+1	+6	+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Network access: npm set-cookie-parser in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/sveltekit/package-lock.json → npm/@sveltejs/kit@2.53.0 → npm/set-cookie-parser@3.0.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/set-cookie-parser@3.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Minified code present: npm tar with 100.0% likelihood Confidence: 1.00 Location: Package overview From: examples/firebase-functions/package-lock.json → npm/firebase-tools@15.5.1 → npm/tar@7.5.9 ℹ Read more on: This package | This alert | What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Superseded by #101.